The rule looks like it should work. Can you try this version with debug logging to see what's being matched for each cookie?
when HTTP_RESPONSE {
if { [HTTP::header "server"] equals "blah" } {
log local0. "Checking cookies: [HTTP::cookie names]"
foreach aCookie [HTTP::cookie names] {
log local0. "Checking cookie: $aCookie, with domain: [HTTP::cookie domain $aCookie]"
if {[string tolower $aCookie] equals "offending_cookie"} {
log local0. "Removing cookie: $aCookie in name check"
HTTP::cookie remove $aCookie
} elseif {[HTTP::cookie domain $aCookie] contains ".bad.domain.com"} {
log local0. "Removing cookie: $aCookie in domain check"
HTTP::cookie remove $aCookie
}
}
}
}
Once you're done testing, you can comment out or remove the debug logging.
Aaron