mod_security

There are two main evasion issues to be concerned with for any WAF -

1) Evasion of the engine/parsing itself
These are usually impedance mispatches between the WAF and underlying app.  There were some issues in the past with handling null bytes and multi-part filenames identified by Stefan Esser
http://www.suspekt.org/downloads/RSS09-WebApplicationFirewallBypassesAndPHPExploits.pdf

There was a similar recent one found by my SpiderLabs colleague Andrew Wilson where clients can specify random/invalid content-types and ModSecurity would not inspect it but the app would handle it normally. This was fixed in recent OWASP CRS updates. 

2) Evasion of the rules
There are always issues with negative security rules. You can test out evasions here -
http://www.modsecurity.org/demo/crs-demo.html

We had an SQL Injection Challenge last summer which included evasions for the ModSecurity OWASP CRS -
http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

Hope this info helps.