Hi Ken,
I'd send Ziv an email. I'm sure he'd be happy to help you get started in diagnosing/fixing the issue.
Most of the XSS-related signatures are in the "All Systems" set. Do you have this set enabled? Are the signatures out of staging? Is the policy in blocking mode for 'Attack Signature detected'?
Where in the request is the XSS? Is it in a parameter value, parameter name, header value, object, etc? Do you hvae a wildcard object and/or parameter defined? What is the text of the attack? Can you post the HTTP headers/body of the attack example?
Aaron