TLS Handshake Fragments not Reassembled
TLS handshakes can be sent in multiple TLS frames. This is because the handshakes can be larger than the max size of a single frame (24 bits length field, vs 16 bits length field).
Suricata appears not to combine such fragments which means that TLS app-layer rules can be evaded and TLS events can be hidden if suricata is configured to log TLS events.
Attached are two semantically equivalent pcaps which show the same client hello message in wireshark but which produce INVALID_SSL_RECORD and INVALID_HANDSHAKE_MESSAGE anomaly events in Suricata.