1) The only thing I can think of is look for a very large number of SYN packets. From what I understand, the basic idea of a DoS attack is to open all the network connections allowed and cause the router/server to deny opening any more. Now, those SYN packets would probably come from illegitimate addresses, such as any of the private blocks (10.x.x.x, 172.16.x.x, 192.168.x.x) so as to keep a computer from answering a SYN packet request.
2) When the port is "closed", you're responding back to a request if the port is open or not. The only way to truly "stealth" a port (as in make it seem like nothing exists) is to filter it, and that is basically meaning not responding to anything that hasn't been asked for. The reason you don't see firewall logs grow when the firewall is off is that your computer, even with ports closed, is responding to requests.
3) Normal operation does not include "scanning" for ports. Scanning for ports means sending SYN packets to sequential ports to see what state the port is in. You can randomize what order you hit ports in to find scanning attempts, but I think they're generally still caught, though.
4) For intrusion detection, do as you see fit. Although many good security guys will tailor intrusion detection as they see fit
5) Look in books, on the web, here. . .basically, go anywhere you can to find information, and try to find that information from 3 sources if you want to ensure its legitimacy.