Ive been looking at monitoring for a while. My org didnt have any before i came other than 'whered my yahoo go'. It appears that most packages out there focus on negative monitoring (ie, this service/host was up and now its not). This seems like a valid first step, but what can you look at past that for positive monitoring (ie that port wasnt up, and now it is, or hey look thats a new DHCP host)? I suppose its possible to have a declaration for every single port/network address in nagios, but that seems cumbersome.
Does anyone know of a better tool for monitoring ports/hosts for affirmatively down?
We use nmap for this. We have a simple script wrapping nmap that scans our entire network and stores the XML output. The next night it runs again and compares the output. If any new hosts or ports show up, an email is sent to the admin staff.
The just-released Nmap 5.0 includes a utility for just this purpose called Ndiff.
For hosts that you know about, Nagios/Zenoss/OpenNMS are your best bet - they can be configured to notify when hosts and/or services go down, or come back up. They're mostly smart enough not to start alerting about ALL the services on a host if the host itself's down, as well; it's important to configure these sorts of things properly, so that you don't get deluged with 20 alerts because of a server reboot. If there's that much information about trivial stuff, sooner or later you'll end up pretty much ignoring it and missing something important.
For the second half of your question, Catherine's right; you're looking at an Intrusion Detection System (IDS). These can be configured to know what your network should look like in terms of hosts, topology, traffic types and so on, then alert you if anything other than what you've defined as "ordinary" happens. A couple of examples would be Snort and OSSEC.
What you are looking for isn't really monitoring as much as it is security. I am not a security expert, but there are a number of network scanning tools out there that can be "taught" what to expect and then will tell you if something is out of the ordinary.
For your specific questions, I'd use something like arpwatch to watch for changes in ARP addresses and portsentry to watch for anyone trying to connect to unused ports. You could use other tools as well.
These tools can then be integrated into an active or passive check for Nagios.
Nagios includes a wide range of plugins and modules for active/intrusive monitoring and passive monitoring. It should include everything you need!