When modify the existing rule for non-standard SSH to include more information like responder_port, the results include unintended items.  The example in Example 2 below actually flagged port 22 traffic as non-standard SSH:

The default rule:

application_ids = 'ssh'
AND responder_port != '22'

Example 1

application_ids = 'ssh'
AND (responder_port != '22' OR responder_port != '7999' OR responder_port != '830')

Example 2

application_ids = 'ssh'
AND responder_port != '22' OR responder_port != '7999' OR responder_port != '830'

Use "NOT IN" instead of "OR"

The problem with Example #1 is that the 'OR's should be 'ANDs'.  But, there's an easier way to write the rule.

 application_ids='ssh' AND responder_port NOT IN ('22', '7999', '830')

The problem with using the "OR" in Example #1 is that it will match every port.  

For example, the first part will match every port that isn't 22 (including port 7999) and the second part will match every port that isn't 7999 (including port 22). When you 'OR' those, you combine the two lists, so you get everything.   Using 'NOT IN' allows you to provide a list. It is also much faster, especially for large lists.

Since the ports are numbers, they don't have to be in single quotes. But, it works with single quotes as well. So, for consistency, it's best practices to keep them.