This analytic rule is designed to detect inbound SSH connections occurring on non-standard ports to network devices monitored by Cisco Secure Firewall. The significance of this rule stems from the observation of Advanced Persistent Threat (APT) actors who have been known to exploit non-default TCP ports for enabling SSH servers. Such activities can indicate potential persistence mechanisms or backdoor access that threat actors establish on compromised systems. To effectively detect these anomalies, this rule leverages Snort signature 65369, which specifically identifies SSH protocol traffic on ports that deviate from conventional configurations. As network configurations often assume SSH traffic to predominantly utilize TCP port 22, any traffic detected on ports outside this norm warrants further scrutiny as these might be indicative of malicious intent.