Syntactically, this seems correct, but your approach is not suitable for this purpose. The string patch matches a string anywhere in the packet:
- You are dropping any packet that has
watch or .watch anywhere. This is likely to cause false positives, and even introduces a new vector for denial of service attacks.
- It cannot handle encrypted traffic. It is unable to block majority of web traffic.
- Although you have relatively good options for the matching algorithm (
bm Boyer–Moore & kmp Knuth–Pratt–Morris), the use of the string filter can still be compute intensive.
The documentation explicitly warns against this, too:
Please do use this match with caution. A lot of people want to use
this match to stop worms, along with the DROP target. This is a major
mistake. It would be defeated by any IDS evasion method.
In a similar fashion, a lot of people have been using this match as a
mean to stop particular functions in HTTP like POST or GET by dropping
any HTTP packet containing the string POST. Please understand that
this job is better done by a filtering proxy. Additionally, any HTML
content with the word POST would get dropped with the former method.
This match has been designed to be able to queue to userland
interesting packets for better analysis, that's all. Dropping packet
based on this would be defeated by any IDS evasion method.
There are better alternatives for what you are trying to achieve:
- DNS based filtering. Any DNS server can do this. E.g., Dnsmasq is a common lightweight DNS forwarder: you could just add
address=/watch/0.0.0.0 to its configuration.
- Web proxy based filtering.
