Challange traffic but specific websites

I would like to challange traffic from specific countries, but if such traffic is coming from specific websites, the challange should not take place.
I made the following rule in the web application firewall:

(ip.geoip.country in {"country1" "country2" "country3"} and (http.referer ne "site1.com" or http.referer ne "site2.com"))

with the action beeing “managed challange”. However I’m not sure the rule is correctly written as the traffic coming from one of the websites involved in the rule seems triggering the managed challange anyway. Is the rule correctly written for the purpose I would like it to manage?
Thank you.