I can confirm that the interface is receiving the packets successfully (from the script). TCPdump captures the http requests just fine from the loop1 interface. Using tcpreplay to make sure, didn’t trigger any of the alerts.
EDIT:
But, I notice the following:
The alert I’ve created is an HTTP alert:
alert http any any -> any any (content:"malware.xyz"; http_header; msg:"MALWARE KEYWORD DETECTED";)
So the script I have only handles/forwards HTTP traffic. But, when not using the script, the alert message I see in the log has the tag {TCP}. Does this mean it’s triggered by a TCP packet? Shouldn’t this be HTTP, since it’s an HTTP alert? If so, this would look like the cause of the traffic forwarded by the script not generating any alerts, since it’s HTTP only that is being forwarded to the loop1 interface (?).