You mean besides the Core Rules - http://www.modsecurity.org/projects/rules/index.html? You want something PHP-specific?
We also have platform (IIS vs. Apache) and language specific (ASP vs PHP) rules as part of our commercial Enhanced Rule set. The PHP protection rules handle items such as known vulns, detecting errors in response bodies, restricting file extensions, etc… The Enhanced Rule set is included with the commercial support packages for open source Mod users - http://www.breach.com/assets/files/downloads/service_support_datasheet.pdf.
As a matter of fact, we are just getting ready to release a big update for the Enhanced rules (that includes positive security rules for OWA).
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache