diff --git a/contrib/ossec-testing/tests/dropbear.ini b/contrib/ossec-testing/tests/dropbear.ini
new file mode 100644
index 000000000..b48008ff3
--- /dev/null
+++ b/contrib/ossec-testing/tests/dropbear.ini
@@ -0,0 +1,7 @@
+[already listening]
+log 1 pass = Jun 25 14:04:30 10.0.0.1 dropbear[30746]: Failed listening on '7001': Error listening: Address already in use
+
+rule = 51011
+alert = 1
+decoder = dropbear
+
diff --git a/etc/rules/dropbear_rules.xml b/etc/rules/dropbear_rules.xml
index 8fe0412df..813dfd00a 100644
--- a/etc/rules/dropbear_rules.xml
+++ b/etc/rules/dropbear_rules.xml
@@ -92,6 +92,13 @@
     <description>User successfully logged in using a public key.</description>
     <group>authentication_success,</group>
   </rule>
+
+  <rule id="51011" level="1">
+    <decoded_as>dropbear</decoded_as>
+    <if_sid>1002</if_sid>
+    <match>Error listening: Address already in use</match>
+    <description>Dropbear cannot listen on port.</description>
+  </rule>      
  
    
 </group> <!-- SYSLOG,LOCAL -->