Something like this should work for you. Just check the Referer header and see if it's from the same domain as the request.
when HTTP_REQUEST {
if { [HTTP::header exists "Referer"] } {
if { ! ([HTTP::header "Referer"] starts_with "http://[HTTP::host]") } {
log local0. "Someone is hotlinking this image. Uri: [HTTP::uri]; Referer: '[HTTP::header Referer]'";
}
}
}
this only checks http:// requests. You'll need to add additional logic to check for https:// urls.
As for alerting, you should be able to setup an alert on syslog to trigger when the above string is added to the log.
-Joe