--- /dev/null
+[rshd: illegal]
+log 1 pass = Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
+log 2 fail = Dec 17 10:49:23 hostname rhsd[347339]: Connection from 10.217.223.31 on illegal port
+
+rule = 2551
+alert = 10
+decoder = rshd
+