Having Trouble Fixing False Positive

Hi,

Hoping someone can help me figure out what I'm doing wrong. I'm seeing
a bunch of false positives when rule #959006 fires due to specific
strings that show up in a specific google analytics cookie. The cookie
name is "__utmz" so I created a replacement rule that excludes that
cookie by name as follows:

----
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/^__utmz$/
\

SecRuleRemoveById 959006
-----

However, mod-security is now firing the same false positive against my
new rule. I can see it is matching against the new rule (#101) and
against the very cookie that I excluded (__utmz):

----
Message: Access denied with code 501 (phase 2). Pattern match
"/big-pattern-omitted/" at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "11"]
[id "101"] [msg "System Command Injection"]
----

Any idea what I'm doing wrong here? I followed the procedure outline
in this article:
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html

Thanks,

Sam

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html