Suricata

Using Suricata 1.4.5 and beta.

Three pcaps attached -
AbnormalOrderIPv6NonRFC2460Recommended.pcap
AbnormalOrderIPv6HopByHopNotFirst.pcap
AbnormalOrderIPv6HopByHopNotFirst-2.pcap

RFC2460 recommends the order in which they should be chained in an IPv6 packet:
1. IPv6 main header
2. Hop-by-Hop Options header (if present, it MUST be the first one following the main/regular header)
3. Destination Options header
4. Routing header
5. Fragment header
6. Authentication header
7. Encapsulating Security Payload header
8. Destination Options header
9. Upper-layer header
The only MUST requirement is that the Hop-by-Hop EH has to be the first one.

Ref: http://www.ietf.org/rfc/rfc2460.txt

The above mentioned pcaps (attached) mimic the opposite of the recommendations and requirements of the RFC2460

In AbnormalOrderIPv6NonRFC2460Recommended.pcap - the Extension Headers are not ordered as recommended in RFC2460

In AbnormalOrderIPv6HopByHopNotFirst.pcap - the Hop By Hop extension header is present and not first after the main/regular header.
In AbnormalOrderIPv6HopByHopNotFirst-2.pcap - the Hop By Hop extension header is present and not first after the main/regular header.

Currently Suricata does not alert in those cases where the order of EH is against the recommended by RFC2460. It could be helpful to include such a rule.