After further investigation, it turns out the actual web listening was being hosted by the System process. As explained in answers to another question, apparently all HTTP listening winds up going through the System process.
Setting the application in the rule to "System" worked for this.