Here's my issue:
I am developing a preprocessor for Snort. I am trying to use the out of the box SSL preprocessor as a base line but so far its not making a whole lot of sense. Specifically I want to store the exchange between the server and the client (i.e. the IP addresses, certificates, essentially all the information that is sent before the connection gets encrypted). From what it looks like, looking at the code for the SF_snort_packet, which is the main structure that the rest of the SSL preprocessor uses, there is no way to access all of that information that I want to. Is this true? Is there another way to access the stream directly? Thanks for the input.