drjarmon - Thanks for posting your question on the forum. Unfortunately, there isn't a way to identify the traffic being denied or matched with a hardware ACL.
One thing you could do is create a hardware ACL that is the opposite of the one you have applied to a VLAN or switchport. This hardware ACL will simply be used to filter the debug and would look something like this (based on the ACL you posted above):
ip hw-access-list ext test
deny tcp 192.168.3.0 0.0.0.255 host 10.10.10.1 eq www log
deny tcp 192.168.3.0 0.0.0.255 host 10.10.10.1 eq https log
permit ip 192.168.3.0 0.0.0.255 any
router#debug ip packet test
The command "u a" will stop the debug.
This would display all traffic traversing the AOS device that is sourced from 192.168.3.x network but isn't destined for 10.10.10.1 on TCP ports 80 or 443. Please keep in mind if you suspect that this could burden the CPU if a lot of traffic matching the ACL is passing through the device.
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
