I recently went over some of the mod security rules from gotroot. Lots were pretty useful but I notice most of them were for stuff no one even uses and some just gave false positives on everything. After extensive testing and checking my audit logs regularly I finally come up with a real good set of apache 2 rules. Although I say lots of the phpbb stuff is useless as its for older versions, its probably still good to have seeing as most of the exploits are similar. Here are the rules, rename them to rulez.conf when you wget them to your rules directory.