diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index e238575568..2ebe1cc634 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
index b59ed28b18..7b2d255900 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
@@ -6,3 +6,5 @@ Client hello, 192.150.187.164, 194.127.84.106, 769
 Client hello, 192.150.187.164, 194.127.84.106, 769
 Start test run
 Client hello, 10.0.0.80, 68.233.76.12, 771
+Start test run
+Client hello, 192.168.6.217, 67.207.128.99, 771
diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test
index ff1f6385ec..dc514ff9d4 100644
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@@ -1,6 +1,7 @@
 # @TEST-EXEC: bro -C -b -r $TRACES/tls/ssl-v2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd