Suricata

The SSLv2 record format starts with 2 byte length, then it has a 1 byte
message-type field set to |01| for the client handshake, then a 2 byte
protocol version.

The SSLv3 record format (in use with modern TLS) starts with the
message-type of |16| and then the protocol, followed by the length.

This means that several of the patterns in the SSL app-layer detection
code are incorrect because they're looking in the wrong place in the
packet.

They should be looking at offset 2, depth 5. Not offset 0, depth 3.