diff --git a/scripts/base/protocols/xmpp/__load__.bro b/scripts/base/protocols/xmpp/__load__.bro
index a10fe855df..0f41578f8a 100644
--- a/scripts/base/protocols/xmpp/__load__.bro
+++ b/scripts/base/protocols/xmpp/__load__.bro
@@ -1 +1,3 @@
 @load ./main
+
+@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/xmpp/dpd.sig b/scripts/base/protocols/xmpp/dpd.sig
new file mode 100644
index 0000000000..50ae57a669
--- /dev/null
+++ b/scripts/base/protocols/xmpp/dpd.sig
@@ -0,0 +1,5 @@
+signature dpd_xmpp {
+	ip-proto == tcp
+	payload /^(<\?xml[^?>]*\?>)?[\n\r ]*<stream:stream [^>]*xmlns='jabber:/
+	enable "xmpp"
+}
diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc
index c84c372c4d..ee2667a276 100644
--- a/src/analyzer/protocol/xmpp/XMPP.cc
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@@ -61,7 +61,6 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		printf("BinPAC Exception: %s\n", e.c_msg());
 		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
index a4417e1601..90b51ec183 100644
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -16,7 +16,8 @@ refine connection XMPP_Conn += {
 			// Yup, looks like xmpp...
 			bro_analyzer()->ProtocolConfirmation();
 
-		if ( token == "success" || token == "message" )
+		if ( token == "success" || token == "message" || token == "db:result"
+		     || token == "db:verify" || token == "presence" )
 			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
 			bro_analyzer()->SetSkip(true);
 
@@ -24,9 +25,9 @@ refine connection XMPP_Conn += {
 			client_starttls = true;
 
 		if ( !is_orig && token == "proceed" && client_starttls )
-			{
 			bro_analyzer()->StartTLS();
-			}
+		else if ( !is_orig && token == "proceed" )
+			reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");
 
 		//printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest));
 
diff --git a/src/analyzer/protocol/xmpp/xmpp-protocol.pac b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
index e05268fe32..9b21679c30 100644
--- a/src/analyzer/protocol/xmpp/xmpp-protocol.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
@@ -3,6 +3,7 @@ type XML_END = RE/>/;
 type XML_NAME = RE/\/?[?:[:alnum:]]+/;
 type XML_REST = RE/[^<>]*/;
 type SPACING = RE/[ \r\n]*/;
+type CONTENT = RE/[^<>]*/;
 
 type XMPP_PDU(is_orig: bool) = XMPP_TOKEN(is_orig)[] &until($input.length() == 0);
 
@@ -12,6 +13,6 @@ type XMPP_TOKEN(is_orig: bool) = record {
 	name: XML_NAME;
 	rest: XML_REST;
 	: XML_END;
-	: SPACING;
+	tagcontent: CONTENT;
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
new file mode 100644
index 0000000000..0ce11b2e6f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-20-08-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437091702.232293	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5Nz2G1vSZQ0QXM2s8,FUw8omi2keRxShDUa	(empty)	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	-	-
+#close	2015-07-21-20-08-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
new file mode 100644
index 0000000000..15641ba5b0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-20-18-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437506779.381295	CXWv6p3arKYeMETxOg	184.73.173.246	1193	104.236.167.107	5269	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp384r1	-	F	-	-	T	FLFr7Z1TXmFDv9FwC2,FydVem3ToAkEIAHD29,FK07OA1VxtQi69Irde	F3D2e62Vxl7iTnwbA4,FUCD5w4ABMG5N0YvSi,FxWUEd3mgvThYO2uod,FGOrVE2laVCPsCLMF6	CN=www.0xxon.net,OU=Free SSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=*.hosted.im,OU=Domain Control Validated	CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US
+#close	2015-07-21-20-18-36
diff --git a/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap b/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap
new file mode 100644
index 0000000000..ad55c6eceb
Binary files /dev/null and b/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap differ
diff --git a/testing/btest/scripts/base/protocols/xmpp/client-dpd.test b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
new file mode 100644
index 0000000000..9c9cc29c8a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/protocols/ssl
+@load base/protocols/conn
+@load-sigs base/protocols/xmpp/dpd.sig
diff --git a/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
new file mode 100644
index 0000000000..9483c0cca8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-dialback-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/protocols/ssl
+@load base/protocols/conn
+@load-sigs base/protocols/xmpp/dpd.sig